Docs

PII-002: Pii Unmasked Log

PII field value written directly to log output

highpiiuipath • power_automate • aa

What it detects

PII field value written directly to log output Flowcerta currently surfaces this finding from the active validation pipeline for supported patterns.

Why it matters

PII findings matter because workflow automations regularly touch regulated identifiers, customer records, and health data. Weak auditability or unsafe logging turns ordinary bot activity into a compliance exposure.

Example violation

A Log Message activity writes a PII-named variable directly into plain logs.

Fix guidance

UiPath

  • Mask or hash PII before logging. Use structured logging with field-level masking.
  • Use platform-native assets, credentials, bounded retries, and Log Message checkpoints instead of hardcoded literals or silent failure paths.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Power Automate

  • Mask or hash PII before logging. Use structured logging with field-level masking.
  • Prefer environment-aware connectors, connection references, structured scopes, and explicit run-history logging.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Automation Anywhere

  • Mask or hash PII before logging. Use structured logging with field-level masking.
  • Move sensitive values into credential vaults or externalized configuration and keep task-bot calls explicit and reviewable.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Verification steps

  1. Run validation again and confirm the rule no longer appears in the finding list.
  2. Review the changed workflow artifact directly to verify the risky pattern is gone.
  3. Capture the new validation result as evidence for the relevant owner or compliance review.

Compliance references

  • SOC2 CC6.8 — Logical Access Controls — Transmission/Output
  • GDPR Art.32 — Security of Processing

Related rules

PII-001PII-003

This page is generated from canonical rule seed data plus the current runtime validation mapping.

Browse all rule playbooks